在 Azure 自动化中管理证书Manage certificates in Azure Automation

Azure 自动化使用适用于 Azure 资源管理器资源的 Get-AzAutomationCertificate cmdlet 安全地存储可供 runbook 和 DSC 配置访问的证书。Azure Automation stores certificates securely for access by runbooks and DSC configurations, by using the Get-AzAutomationCertificate cmdlet for Azure Resource Manager resources. 通过安全的证书存储,可以创建使用证书进行身份验证的 runbook 和 DSC 配置,也可以将证书添加到 Azure 或第三方资源。Secure certificate storage allows you to create runbooks and DSC configurations that use certificates for authentication, or add them to Azure or third-party resources.

备注

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产已使用针对每个自动化帐户生成的唯一密钥加密,并存储在自动化中。These assets are encrypted and stored in Automation by using a unique key that is generated for each Automation account. 自动化将密钥存储在系统管理的 Key Vault 服务中。Automation stores the key in the system-managed Key Vault service. 在存储安全资产之前,自动化会从 Key Vault 加载密钥,然后使用该密钥加密资产。Before storing a secure asset, Automation loads the key from Key Vault, and then uses it to encrypt the asset.

用于访问证书的 PowerShell cmdletPowerShell cmdlets to access certificates

下表中的 cmdlet 使用 PowerShell 创建和管理自动化证书。The cmdlets in the following table create and manage Automation certificates with PowerShell. 它们作为 Az 模块的一部分提供。They ship as part of the Az modules.

CmdletCmdlet 说明Description
Get-AzAutomationCertificateGet-AzAutomationCertificate 检索有关要在 Runbook 或 DSC 配置中使用的证书的信息。Retrieves information about a certificate to use in a runbook or DSC configuration. 只能使用内部 Get-AutomationCertificate cmdlet 来检索证书。You can only retrieve the certificate itself by using the internal Get-AutomationCertificate cmdlet.
New-AzAutomationCertificateNew-AzAutomationCertificate 在自动化中创建新证书。Creates a new certificate in Automation.
Remove-AzAutomationCertificateRemove-AzAutomationCertificate 从自动化中删除证书。Removes a certificate from Automation.
Set-AzAutomationCertificateSet-AzAutomationCertificate 设置现有证书的属性,包括上传证书文件和设置 .pfx 文件的密码。Sets the properties for an existing certificate, including uploading the certificate file and setting the password for a .pfx file.

还可以使用 Add-AzureCertificate cmdlet 为指定的云服务上传服务证书。The Add-AzureCertificate cmdlet can also be used to upload a service certificate for the specified cloud service.

用于访问证书的内部 cmdletInternal cmdlets to access certificates

下表中的内部 cmdlet 用于在 runbook 中访问证书。The internal cmdlet in the following table is used to access certificates in your runbooks. 此 cmdlet 附带全局模块 Orchestrator.AssetManagement.CmdletsThis cmdlet comes with the global module Orchestrator.AssetManagement.Cmdlets. 有关详细信息,请参阅内部 cmdletFor more information, see Internal cmdlets.

内部 CmdletInternal Cmdlet 说明Description
Get-AutomationCertificate 在 Runbook 或 DSC 配置中获取要使用的证书。Gets a certificate to use in a runbook or DSC configuration. 返回一个 System.Security.Cryptography.X509Certificates.X509Certificate2 对象。Returns a System.Security.Cryptography.X509Certificates.X509Certificate2 object.

备注

应避免在 runbook 或 DSC 配置中 Get-AutomationCertificateName 参数中使用变量。You should avoid using variables in the Name parameter of Get-AutomationCertificate in a runbook or DSC configuration. 如果使用变量,可能会导致在设计时发现 runbook 或 DSC 配置与自动化变量之间的依赖关系的过程变得复杂。Such variables can complicate discovery of dependencies between runbooks or DSC configurations and Automation variables at design time.

用于访问证书的 Python 函数Python functions to access certificates

使用下表中的函数可在 Python 2 和 3 runbook 中访问证书。Use the function in the following table to access certificates in a Python 2 and 3 runbook. Python 3 runbook 目前处于预览阶段。Python 3 runbooks are currently in preview.

函数Function 说明Description
automationassets.get_automation_certificate 检索有关证书资产的信息。Retrieves information about a certificate asset.

备注

必须在 Python Runbook 的开头部分导入 automationassets 模块才能访问资产函数。You must import the automationassets module at the beginning of your Python runbook to access the asset functions.

创建新证书Create a new certificate

创建新证书时,需要将 .cer 或 .pfx 文件上传到自动化。When you create a new certificate, you upload a .cer or .pfx file to Automation. 将证书标记为可导出后,可以将其转出自动化证书存储区。If you mark the certificate as exportable, then you can transfer it out of the Automation certificate store. 如果证书不可导出,则它只可用于在 runbook 或 DSC 配置中签名。If it isn't exportable, then it can only be used for signing within the runbook or DSC configuration. 自动化要求证书具有以下提供程序:Microsoft 增强 RSA 和 AES 加密提供程序。Automation requires the certificate to have the provider Microsoft Enhanced RSA and AES Cryptographic Provider.

使用 Azure 门户创建新证书Create a new certificate with the Azure portal

  1. 在自动化帐户的左侧窗格中,选择“共享资源”下的“证书” 。From your Automation account, on the left-hand pane select Certificates under Shared Resource.
  2. 在“证书”页上,选择“添加证书”。 On the Certificates page, select Add a certificate.
  3. 在“名称”字段中,键入证书的名称。In the Name field, type a name for the certificate.
  4. 若要查找 .cer 或 .pfx 文件,请选择“上传证书文件”下的“选择文件” 。To browse for a .cer or .pfx file, under Upload a certificate file, choose Select a file. 如果选择了 .pfx 文件,请指定密码,以及是否允许导出。If you select a .pfx file, specify a password and indicate if it can be exported.
  5. 单击“创建”保存新的证书资产。Select Create to save the new certificate asset.

使用 PowerShell 创建新证书Create a new certificate with PowerShell

以下示例演示了如何创建新的自动化证书并将其标记为可导出。The following example demonstrates how to create a new Automation certificate and mark it exportable. 在该示例中,会导入现有的 .pfx 文件。This example imports an existing .pfx file.

$certificateName = 'MyCertificate'
$PfxCertPath = '.\MyCert.pfx'
$CertificatePassword = ConvertTo-SecureString -String 'P@$$w0rd' -AsPlainText -Force
$ResourceGroup = "ResourceGroup01"

New-AzAutomationCertificate -AutomationAccountName "MyAutomationAccount" -Name $certificateName -Path $PfxCertPath -Password $CertificatePassword -Exportable -ResourceGroupName $ResourceGroup

使用资源管理器模板创建新的工作区Create a new certificate with a Resource Manager template

下面的示例演示如何通过 PowerShell 使用资源管理器模板将证书部署到自动化帐户:The following example demonstrates how to deploy a certificate to your Automation account by using a Resource Manager template through PowerShell:

$AutomationAccountName = "<automation account name>"
$PfxCertPath = '<PFX cert path and filename>'
$CertificatePassword = '<password>'
$certificateName = '<certificate name>' #A name of your choosing
$ResourceGroupName = '<resource group name>' #The one that holds your automation account
$flags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable `
    -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet `
    -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet
# Load the certificate into memory
$PfxCert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($PfxCertPath, $CertificatePassword, $flags)
# Export the certificate and convert into base 64 string
$Base64Value = [System.Convert]::ToBase64String($PfxCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12))
$Thumbprint = $PfxCert.Thumbprint


$json = @"
{
    '`$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#',
    'contentVersion': '1.0.0.0',
    'resources': [
        {
            'name': '$AutomationAccountName/$certificateName',
            'type': 'Microsoft.Automation/automationAccounts/certificates',
            'apiVersion': '2015-10-31',
            'properties': {
                'base64Value': '$Base64Value',
                'thumbprint': '$Thumbprint',
                'isExportable': true
            }
        }
    ]
}
"@

$json | out-file .\template.json
New-AzResourceGroupDeployment -Name NewCert -ResourceGroupName $ResourceGroupName -TemplateFile .\template.json

获取证书Get a certificate

若要检索证书,请使用内部 Get-AutomationCertificate cmdlet。To retrieve a certificate, use the internal Get-AutomationCertificate cmdlet. 不能使用 Get-AzAutomationCertificate cmdlet,因为它会返回有关证书资产的信息,而不是证书本身的信息。You can't use the Get-AzAutomationCertificate cmdlet, because it returns information about the certificate asset, but not the certificate itself.

文本 Runbook 示例Textual runbook examples

以下示例代码演示了如何将证书添加到 runbook 中的云服务。The following example shows how to add a certificate to a cloud service in a runbook. 在此示例中,已从加密的自动化变量检索了密码。In this sample, the password is retrieved from an encrypted automation variable.

$serviceName = 'MyCloudService'
$cert = Get-AutomationCertificate -Name 'MyCertificate'
$certPwd = Get-AzAutomationVariable -ResourceGroupName "ResourceGroup01" `
-AutomationAccountName "MyAutomationAccount" -Name 'MyCertPassword'
Add-AzureCertificate -ServiceName $serviceName -CertToDeploy $cert

图形 Runbook 示例Graphical runbook example

通过在“库”窗格中右键单击证书并选择“添加到画布”,可以将内部 Get-AutomationCertificate cmdlet 的活动添加到图形 runbook。Add an activity for the internal Get-AutomationCertificate cmdlet to a graphical runbook by right-clicking on the certificate in the Library pane, and selecting Add to canvas.

将证书添加到画布的屏幕截图

下图显示了在图形 Runbook 中使用证书的示例。The following image shows an example of using a certificate in a graphical runbook.

图形创作示例的屏幕截图

后续步骤Next steps